Product Overview

This chapter provides a general overview of the Cisco Anomaly Guard Module (Guard module) including its major components and how they work together to protect network elements from malicious attack traffic.

Understanding the Guard Module

The Guard module is a Distributed Denial of Service (DDoS) attack mitigation device that diverts suspect traffic from its normal network path to itself for cleaning. During the traffic cleaning process, the Guard module identifies and drops the attack packets and forwards the legitimate packets to their targeted network destinations.

Typically, you deploy the Guard module in a distributed upstream configuration at the backbone level. You can install the Guard module in one of the following Cisco products:

•Catalyst 6500 series switch

•Cisco 7600 series router

You define the network elements, or zones, that the Guard module protects against DDoS attacks. When a zone is under attack, the Guard module diverts only the network traffic that is destined for the targeted zone, identifies and drops specific attack packets, and forwards legitimate traffic packets to the zone. The Guard module constantly filters the zone traffic and stays on the alert for evolving attack patterns. When the Guard module determines that the attack on the zone has ended, it stops diverting the zone traffic to itself. By diverting network traffic only when needed, the Guard module can assume its protective role when there is an attack but remain unobtrusively in the network background for the rest of the time.

The Guard module allows you to do the following tasks:

•Traffic learning—Learn the characteristics (services and traffic rates) of normal zone traffic using an algorithm-based process. During the learning process, the Guard module modifies the default zone traffic policies and policy thresholds to match the characteristics of normal zone traffic. The traffic policies and thresholds define the reference points that the Guard module uses to determine when the zone traffic is normal or abnormal (indicating an attack on the zone).

•Traffic protection—Distinguish between legitimate and malicious traffic and filter the malicious traffic so that only the legitimate traffic is allowed to pass on to the zone.

•Traffic diversion—Divert the zone traffic from its normal network path to the Guard module learning and protection processes and then returns the legitimate zone traffic to the network.

Figure 1-1 shows a sample network application in which the Guard module diverts zone traffic to itself so it can learn the zone traffic or protect the zone from an attack.

Understanding Spoofed Attacks

A spoofed attack is a type of DDoS attack in which the packets contain an IP address in the header that is not the actual IP address of the originating device. The source IP addresses of the spoofed packets can be random or have specific, focused addresses. Spoofed attacks saturate the target site links and the target site server resources. It is easy for a computer hacker to generate high volume spoofed attacks even from a single device.

To overcome spoofed attacks, the Guard module performs anti-spoofing processes that use challenge-response algorithms that can distinguish spoofed traffic from nonspoofed traffic. The Guard considers the traffic that passes the anti-spoofing mechanisms as authenticated traffic.

Understanding Nonspoofed Attacks

Nonspoofed attacks (or client attacks) are mostly TCP-based with real TCP connections that can overwhelm the application level on the server rather than the network link or operating system.

The Guard module initially activates an anti-spoofing mechanism to block all spoofed packets. The Guard module then performs a statistical analysis on the traffic to detect and block anomalies in the traffic that are not spoofed, such as an unusual number of SYN packets, a large number of concurrent connections, or a high traffic rate.

Client attacks from a large number of clients (or zombies) may overwhelm the server application even without any of the individual clients creating an anomaly. The zombie programs try to imitate legitimate browsers that access the target site. The Guard module anti-zombie processes mitigates such HTTP attacks by using a challenge response authentication process to differentiate between legitimate browsers and zombie programs that access the attacked site.

Understanding Zones, Zone Policies, and the Learning Process

This section describes what a Guard module zone represents, how zone policies detect traffic anomalies, and how the Guard module learns the zone traffic characteristics.

Understanding Zones

A zone that the Guard module protects can be one of the following elements:

•A network server, client, or router

•A network link, subnet, or an entire network

•An individual Internet user or a company

•An Internet Service Provider (ISP)

•Any combination of these elements

When you create a new zone, you assign a name to it and configure the zone with network addresses. The Guard module configures the zone with a default set of policies and policy thresholds to detect anomalies in the zone traffic.

The Guard module can protect multiple zones at the same time if the network address ranges do not overlap.

Understanding the Zone Policies

When the Guard module protects a zone, the policies associated with the zone configuration enable the Guard module to detect anomalies in the zone traffic and mitigate attacks on the zone. When the traffic flow exceeds a policy threshold, the Guard module identifies the traffic as abnormal or malicious and dynamically configures a set of filters to apply the appropriate protection level to the traffic flow according to the severity of the attack.

Understanding the Learning Process

The learning process enables the Guard module to analyze normal zone traffic and create a set of zone-specific policies and policy thresholds that are based on the analyzed traffic. The zone-specific policies and policy thresholds enable the Guard module to more accurately detect zone traffic anomalies.

You enable the learning process to replace the default set of zone policies or to update the current set of zone policies that may not be configured properly to recognize current normal traffic services and volume. When policy thresholds are set too high compared to the current normal traffic volume, the Guard module might not be able to detect traffic anomalies (attacks). When policy thresholds are set too low, the Guard module may mistake legitimate traffic for attack traffic.

The learning process consists of the following two phases:

•Policy Construction Phase—Creates the zone policies for the main services that the zone traffic uses. To create zone policies, the Guard module follows the rules established by the policy templates that each zone configuration contains.

•Threshold Tuning Phase—Tunes the thresholds of the zone policies to values that are appropriate for recognizing the normal traffic rates of the zone services.

Understanding Zone Protection

You can activate zone protection on the Guard module by using one of the following methods:

•Manually—You can manually access the Guard module and activate protection for a zone.

•Automatically—You can configure the Guard module to accept a protection activation message from a network attack detection device, such as the Cisco Traffic Anomaly Detector (Detector).

Note The Detector is the companion product of the Guard module. The Detector is a DDoS attack detection device that can analyze a copy of the zone traffic and activate the Guard module attack mitigation services when the Detector determines that the zone is under attack. The Detector can also synchronize zone configurations with the Guard module. For more information about the Detector, see the Cisco Traffic Anomaly Detector Module Configuration Guide and Cisco Traffic Anomaly Detector Configuration Guide.

Understanding Traffic Filters

The Guard module uses four types of traffic filters to apply the required protection level to the zone traffic. You can configure these filters to customize the traffic flow and control the DDoS protection operation.

•Flex-Content filters—Count or drop a specified traffic flow and filter according to fields in the IP and TCP headers and content bytes.

•Dynamic filters—Apply the required protection level to the specified traffic flows. The Guard module creates dynamic filters only when it detects an attack on the zone and configures them based on its analysis of the traffic flow. The Guard module continuously modifies this set of filters based on the the zone traffic, type of DDoS attack, and changes to the attack characteristics.

The Guard module has three protection levels that enable it to apply different processes to the traffic flows:

•Analysis protection level—Allows the traffic to flow monitored, but unhindered, during zone protection if no anomalies are detected. Once the Guard module detects an anomaly, it applies the appropriate protection level to the traffic.

•Basic protection level—Activates anti-spoofing and anti-zombie functions to authenticate the traffic by inspecting the suspicious traffic flow to verify its source.

•Strong protection level—Activates severe anti-spoofing functions that inspect the traffic flow packets to verify the legitimacy of the flow.

The Guard module analyzes the traffic and coordinates the efforts of the zone policies that monitor the zone traffic for anomalies with the zone filters. In addition, it limits the rate of traffic that it injects on to the zone to prevent traffic overflow.

Understanding the Different Protection Modes

You can activate the Guard module to perform zone protection as follows:

•Automatic protect mode—Automatically activates the dynamic filters that it creates during an attack.

•Interactive protect mode—Creates dynamic filters during an attack but does not activate them. Instead, the Guard module groups the dynamic filters as recommended actions for you to review and decide whether to accept, ignore, or direct these recommendations to automatic activation.

Understanding the Protect and Learn Function

You can activate the threshold tuning phase of the learning process and activate zone protection simultaneously (the protect and learn function) to enable the Guard module to learn the zone policy thresholds and at the same time monitor the traffic for anomalies. When the Guard module detects an attack, it stops the learning process and begins mitigating the attack. The Guard module resumes the learning process when the attack ends. This process prevents the Guard module from learning malicious traffic thresholds during an attack.

Understanding On-Demand Protection

You can use the default zone templates and associated default policies to protect a zone without enabling the Guard module to learn the zone traffic characteristics. The default policies and filters in the Guard module zone templates can protect a zone that has traffic characteristics that are unknown to the Guard module.

Understanding Attack Reports

The Guard module provides an attack report for every zone that provides zone status information and details of the attack, starting with the production of the first dynamic filter and ending with protection termination.

Understanding the Protection Cycle

The Guard module protection cycle applies the zone filters, zone policies, and the Guard protection levels to the traffic flow to analyze and clean the zone traffic and inject legitimate traffic only to the zone. Figure 1-2 shows the Guard module protection cycle.

Figure 1-2 Guard Protection Cycle

Once zone protection is activated by you or by an anomaly detection device such as the Detector, the Guard module diverts the zone traffic to itself where the policies of the zone configuration monitor the traffic flow. A policy executes an action against a particular traffic flow when the flow exceeds the policy threshold. Policy actions can range from issuing a notification to creating new filters (dynamic filters) that direct the traffic to the appropriate protection level. The Guard module analyzes the traffic flow, drops the traffic that exceeds the defined rate that the zone can handle, and then injects the legitimate traffic back to the zone.

During the attack, the Guard module performs a closed-loop feedback cycle in which it adjusts the zone protection measures to the dynamically changing zone traffic characteristics. The Guard module adjusts the protection strategies to handle any changes to the DDoS attack and traffic flow. The Guard module stops zone protection if no dynamic filters are in use, the traffic to the zone has not been dropped, or no new dynamic filters have been added over a predefined period of time.

Understanding the 1-Gbps and 3-Gbps Bandwidth Options

The Guard module can operate at two different bandwidth performance levels: 1 Gigabit per second (Gbps) or 3 Gbps. The software image that you load on the Guard module determines the operating bandwidth by controlling the three physical interfaces between the module and the supervisor engine. The installed software image controls the interfaces as follows:

•6.0 software image—Provides 1-Gbps throughput, allowing data traffic to move between the supervisor engine and the Guard module over a single interface port. A second interface port transports out-of-band management traffic only. The third interface port is not used.

•6.0-XG software image—Provides 3-Gbps throughput, enabling all three of the interface ports to transport data traffic and inband management traffic. Each port has a maximum bandwidth of 1 Gbps for a total operating bandwidth of 3 Gbps. To use the XG software image, the Guard module requires a software license.

Note You can order the Guard module with either software image installed or you can upgrade a 6.0 software image (1-Gbps operation) to the 6.0-XG software image (3-Gbps operation). If you order a new Guard module with the 6.0-XG software image, Cisco installs the required license along with the software image. For information about upgrading to the 6.0-XG software image, see the "Upgrading the Bandwidth Performance from 1 Gbps to 3 Gbps" section on page 14-16.

Table 1-1 shows the correlation between the Guard module physical interfaces and the supervisor engine ports. The table also shows how the CLI designator for interface eth1 (management traffic only) changes to giga1 (data and management traffic) after you install the software image for 3-Gbps operation.

–3-Gbps operation—Define the VLAN for inband management traffic on one or more physical interfaces.

When operating with the 3-Gbps software image, the Guard module validates the interface configurations when you activate zone protection. If you do have the three interfaces properly configured for traffic diversion, the Guard module does not activate zone protection. The Guard module also prompts you to manually activate the validation process when entering the interface configuration mode, removing a proxy IP address, or when configuring the traffic diversion parameters. For more information about the validation process, see the "Validating the Guard Module Network Configuration" section on page 5-20.